Splunk User Manual (Splunk v2.0)

Report Splunks

Create

The report:: modifier is a way to create SQL reports from your search results. If you add report:: to a search, Splunk doesn't deliver results in its usual format. Instead it creates a temporary SQL table, resultstable, based on the results set for the search, executes the value of report:: as a SQL statement, and outputs the results of the statement as a table instead of Splunk's usual results page.

The example Splunk below first creates a results table of all events that match eventtype::logon, then selects the pre-trained address fields _ip and _url from each. _ip contains a comma-separated list of all IP addresses for each event; _url contains URLs in the event.

eventtype::logon report::[select _ip, _url from resultstable]

The above Report Splunk would produce a table with two columns, _ip and _url. If an event did not contain a value for _ip or _url, Splunk would exclude its row from the report rather than include an empty row.

Syntax

• All keywords must be typed in lowercase, contrary to SQL convention. A fix for this is pending.
• select is the only supported SQL statement.
• Report Splunks are built on SQLite. See SQLite syntax reference for select for specifics. For example, SELECT does not support TOP and BOTTOM.
• resultstable is the only table available to be queried. It does not persist after the Report Splunk completes.
• select statements may be nested.

Shortcuts

Splunk includes several shortcuts to SQL's select syntax for quick splunking.

• report::[*]

  Shortcut for report::[select * from resultstable]

• report::[field]

  Shortcut for report::[select field from resultstable]

• report::[top field]

  Shortcut for report::[select field, count(*) from resultstable group by field order by count(*) desc]

• report::[rare field]

  Shortcut for report::[select field, count(*) from resultstable group by field order by count(*) asc]

Export...

To save your Report Splunk as a CSV or text file, use the Export function on the Splunks menu.

How Splunk Recognizes Fields

There are three ways Splunk populates fields with values from events.

• It looks for segments that match the acceptable formats and values for IP addresses and URLs. It uses these to populate the fields _ip and _url.
• It looks for segments that are proably name-value pairs, such as user=jsmith or level:3. These are used to create fields such as _user and _level on the fly.
• You can train Splunk to recognize patterns in your data and use them to populate fields with specific names. The training will work on events already in the index, as well as new events indexed after training.

report:: and maxresults::

Adding report:: to a Splunk changes the default value of maxresults:: to 500 instead of 10,000. This is to prevent browsers from choking on large reports, but you can use higher values. A pending fix will eliminate the need to worry about browser performance.

The number of rows in a report will usually be less than the value of maxresults::, because the report won't include rows that don't contain the fields specified by the select statement given as the value of the report:: modifier.

No Results?

If you expect results in a report:: but don't get any, it means there were no matching fields in the first maxresults:: results for your Splunk. You can increase the value of maxresults::, but it's more effective to sharpen your Splunk so that relevant values appear in the first 1000 results. Set a time range or specify your event type or source type to remove events that aren't necessary for the report.

Examples

meta::all report::[select * from resultstable where _ip like '%445%']
host::gwrk1 eventtype::?9034 report::[select _ip, count(*) from resultstable group by _ip order by count(*) desc]

See Also

• Learn Fields

External Links

• SELECT statement (SQLite)

Description:

Copyright © 2005-2008 Splunk Inc. All rights reserved.